Thunderbird - secure email client

06/03/2009 01:31

Thunderbird - secure email client
Mozilla Thunderbird is a free and open source email client for receiving, sending and storing emails. You can manage multiple email accounts using a single program. Enigmail and GPG will enable you to bring privacy and security to your email communication through the use of encryption. Installing Thunderbird

Homepage www.mozilla.com/thunderbird Computer Requirements All Windows Versions Versions used in this guide Thunderbird 2.0.0.18 Enigmail 0.95.7 GNU Privacy Guard (GnuPG) 1.4.9

Follow any program-specific directions in the Guide If there are none, simply click the link below and choose a location to save the installer Find the installer on your computer and double-click it
Thunderbird:

License Free and Open-Source Software Required Reading How-to Booklet chapter 7. Keeping your Internet Communication Private Level: 1: Beginner, 2: Average and 3: Intermediate, 4: Experienced, 5: Advanced Time required to start using this tool: 40 minutes What you will get in return: The ability to manage different e-mail accounts through a single program The ability to read and compose messages after disconnecting from the Internet The ability to use public key encryption to keep your email private 1.1 Things you should know about this tool before you start Mozilla Thunderbird is a free, cross-platform and open source email client for receiving, sending and storing emails. An email client is a computer application that lets you download and manage your email messages without an Internet browser. You can manage multiple email accounts using a single program. You must have an existing email account before using Thunderbird. In this chapter, you will learn how to set up Thunderbird for use with a RiseUp and a Gmail account. Enigmail is an add-on developed for Thunderbird. It lets users access the authentication and encryption features provided by GNU Privacy Guard (GnuPG). GnuPG is a program used to generate and manage the key pairs that are used in public key encryption to keep your email communications private and secure. Before you can begin using Enigmail, you must install GnuPG as described later on in this chapter.

Registering email accounts
In this section, you will learn how to configure Thunderbird for use with your Gmail and/or RiseUp accounts. Step 1. Select Start > Programs > Mozilla Thunderbird > Mozilla Thunderbird

or double-click:

to activate the Thunderbird program.
1 of 43

http://en.security.ngoinabox.org/book/export/html/167

Thunderbird - secure email client

06/03/2009 01:31

When you start Thunderbird for the first time, the Import Wizard screen appears with two options for importing messages and account settings as follows:

Figure 1: The Import Wizard screen
Note: Although the import process is automated, this guide also describes how to manually register your email accounts with Thunderbird. Step 2. Check the Don't Import Anything option and click: 2.1 How to configure Thunderbird for your RiseUp account You must register your email accounts with Thunderbird in order to access and use them. Account registration is performed through the New Account Wizard feature that automatically launches itself if you do not have any existing accounts. To add more accounts later on, you can manually run the New Account Wizard by performing the following steps: Step 1. Select File > New > Account. to launch the New Account Wizard.

http://en.security.ngoinabox.org/book/export/html/167

2 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 2: The Account Wizard - New Account Setup screen
Step 2. Check the Email account option. Step 3. Click: to activate the Identity screen as follows:

Figure 3: The Account Wizard - Identity screen
Step 4. Enter the name you will to use to identify yourself as being the sender of emails in the Your name: text
http://en.security.ngoinabox.org/book/export/html/167 3 of 43

Thunderbird - secure email client

06/03/2009 01:31

field. If you intend to create an anonymous email account, either leave this field blank or enter information that does not provide any clues about your identity. Step 5. Enter the email address of your account in the Email address: text field. Step 6. Click: to activate the Server Information screen as follows:

Figure 4: The Account Wizard - Server Information screen
Step 7. Check the IMAP option. Note: POP and IMAP are the two of the most widely-used methods for downloading your messages through an email client. Step 8. Enter 'mail.riseup.net' into the Incoming and Outgoing Server: text fields. Step 9. Click: to activate the User Names screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

4 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 5: The Account Wizard - User Names screen
Step 10. Enter your RiseUp login name in the Incoming User Name: text field. Note: The Incoming User Name: is the name that appears before the '@riseup.net' part of that address. Step 11. Click: to activate the Account Name screen as follows:

Figure 6: The Account Wizard - Account Name screen

http://en.security.ngoinabox.org/book/export/html/167

5 of 43

Thunderbird - secure email client

06/03/2009 01:31

Step 12. Enter the name you want to give this account. It can be anything you wish. Step 13. Click: to activate the Congratulations screen as follows:

Figure 7: The Account Wizard - Congratulations screen
Step 14. Click: to complete registering your RiseUp account with Thunderbird.

The Thunderbird main console should now resemble the following:

http://en.security.ngoinabox.org/book/export/html/167

6 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 8: The Thunderbird main console displaying the newly registered account
Now that your account has been registered with Thunderbird, you must configure the correct security settings for receiving and sending email. Warning: Thunderbird may attempt to connect and download your emails immediately. Click Cancel to ignore the email password request screen for the moment, and continue configuring your RiseUp account. 2.2 How to Configure the Security Settings for RiseUp When you first register your RiseUp account, Thunderbird will be configured to access it through an unsecured communication channel. However, RiseUp supports the use of a secure, encrypted connection between itself and your computer. Before you begin sending or receiving messages, you must configure a few Thunderbird settings to enable this feature. Step 1. Select Tools > Account Settings to activate the Account Settings - Work Account screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

7 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 9: The Account Settings - Work Account screen
Step 2. Select Server Settings in the sidebar. The Server Settings screen lets you specify how the connection to the RiseUp email server is made. Step 3. Check the SSL option in the right-hand window to set the appropriate port for downloading email:

Figure 10: The Security Settings in SSL mode
Step 4. Select the Outgoing Server (SMTP) option in the Account Settings sidebar.

http://en.security.ngoinabox.org/book/export/html/167

8 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 11: The Account Settings - Outgoing Server (SMTP) screen
Step 5. Click: to activate the SMTP Server screen.

Step 6. Check the SSL option.

Figure 12: The SMTP Server screen

http://en.security.ngoinabox.org/book/export/html/167

9 of 43

Thunderbird - secure email client

06/03/2009 01:31

Step 7. Click: You have now enabled the receiving and sending of email through an encrypted connection. When connecting to your email provider through the IMAP protocol, you will typically download only a brief description, called a header, of each new email. You must open a message in order to download its full content. This means that newly-received messages may not be accessible while you are disconnected from the Internet. Fortunately, Thunderbird can be configured to download the full content of new messages immediately and make them available for reading while you are offline. To enable this feature, perform the following steps: Step 8. Select the Offline and Disk Space in the sidebar.

Figure 13: The Offline & Disk Space Screen
Step 9. Check the two boxes in the top right-hand corner of the window as shown in Figure 13. Step 10. Click: to finish configuring your RiseUp account and return to the Thunderbird main console.

You are now ready to download your messages from RiseUp.

Step 1. Click: the

button to display the Account Password screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

10 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 14: The Account Password screen
Step 2. Enter your RiseUp account password and click: Any new email messages will now be downloaded from the email server to your computer. 2.3 How to configure your Gmail account with Thunderbird Thunderbird also makes it easy for you to send and receive messages using a Gmail account. If you do not have a Gmail account, you can create one at https://mail.google.com. To use Gmail with Thunderbird, you must check a key option in Gmail, then configure Thunderbird very much as you did for your RiseUp account. While you are modifying the Gmail account settings, you should also enable its secure webmail login feature as well. 2.3.1 Configuring Thunderbird for Gmail Before entering your Gmail account information into Thunderbird, you must first configure Gmail to 'listen' for or detect connections from external email programs. Step 1. Log in to your Gmail account using the following secure address https://mail.google.com. Step 2. Click the Settings link near the upper right-hand corner of your browser window to display the Gmail Settings page. Step 3. Click: to display the Forwarding and POP/IMAP tab.

Step 4. Check the Enable IMAP option in the IMAP Access section as follows:

Figure 15: The IMAP Access section of the Gmail Forwarding and POP/IMAP tab.
Step 5. Click: to save your changes.

Note: You should modify one additional setting while you are making configuration changes, although doing so is not required in order to use Gmail with Thunderbird. Configure Gmail to use HTTPS for all webmail connections, to protect yourself in the event that you accidentally access your account through the unsecured HTTP address. Step 6. Click: near the upper-right corner of your browser window, to display the Gmail Settings page.

Step 7. Select the Always use HTTPS option in the Browser connection section as follows:

http://en.security.ngoinabox.org/book/export/html/167

11 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 16: The Browser connection section of the Gmail General Settings tab.
Step 8. Click: to save your changes.

You are now ready to create your Gmail account within Thunderbird 2.3.2 How to Register Gmail with Thunderbird Thunderbird offers a simplified registration process for Gmail accounts, but using this method will configure Thunderbird to retrieve your email using the POP protocol. If you prefer to use the IMAP protocol, you must register the account manually, as described below. To begin the registration process: Step 1. Select File > New > Account Step 2. Check the Email Account option as follows:

Figure 17: The Account Wizard - New Account Setup screen
Step 3. Click: to activate the Identity screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

12 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 18: The Account Wizard - Identity screen
Step 4. Enter the name you will to use to identify yourself as being the sender of emails in the Your name: text field. If you intend to create an anonymous email account, either leave this field blank or enter information that does not provide any clues about your identity. Step 5. Enter the email address of your account in the Email address: text field. Step 6. Click: to activate the Server Information screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

13 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 19: The Server Information screen
Step 7. Check the IMAP server option Step 8. Enter imap.googlemail.com for the incoming and smtp.googlemail.com for the outgoing server details as shown in Figure 19. Note: If you have already registered RiseUp or another IMAP email account in Thunderbird, you will not be asked for the outgoing server details as shown in Figure 19 and Figure 20. Instead, you will need to enter that information after you have completed the registration process, as described in section 2.3.3 How to Configure Security Settings for Gmail below. Step 9. Click: to activate the User Names screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

14 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 20: The User Names screen
Step 10. Verify that the incoming and outgoing user names match your Gmail login name. Step 11. Click: to activate the Account Name screen as follows:

Figure 21: The Account Name screen
Step 12. Enter a name for this account.
http://en.security.ngoinabox.org/book/export/html/167 15 of 43

Thunderbird - secure email client

06/03/2009 01:31

Step 13. Click:

to activate the Congratulations screen as follows:

Figure 22: The Congratulations screen
Step 14. Verify that all details you have entered are correct and click: Now that your Gmail account is registered in Thunderbird, you need to configure the correct security settings for receiving and sending email. This is described below. Warning: Thunderbird may attempt to connect and download your emails immediately. Click Cancel to ignore the email password request screen for the moment, and continue configuring your Gmail account. 2.3.3 How to Configure Security Settings for Gmail When you first register your Gmail account, Thunderbird will be configured to access it through an unsecured communication channel. As with RiseUp, Gmail supports the use of a secure, encrypted connection between itself and your computer, but you must change a few Thunderbird settings to enable this feature. You should do this before sending or receiving any messages. Step 1. Select: Tools > Account Settings to activate the Account Settings screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

16 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 23: The Account Settings screen
Step 2. Select the Server Settings option on the left side of the Account Settings screen. Step 3. Check the SSL option in the Security Settings section of the screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

17 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 24: The Account Settings screen
Step 4. Select the Outgoing Server (SMTP) option on the left side of the Account Settings screen to activate the Outgoing Server (SMTP) Settings screen. Note: If you had previously registered RiseUp or another IMAP email account in Thunderbird and were not prompted for the outgoing server details in section 2.3.2 How to Register Gmail with Thunderbird, then you should continue the registration process from Step 5 below, in order to create a new outgoing server for use with Gmail. However, if you were prompted for this information in the previous section, then you should skip ahead to Step 10 and continue the registration process from there on. Step 5. Click: to activate the SMTP Server screen.

Step 6. Fill in the Description and Server Name fields, then check the User name and password option and fill in the User Name field as shown in Figure 25.

http://en.security.ngoinabox.org/book/export/html/167

18 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 25: The Gmail SMTP Server screen
Step 7. Click: to return to the Account Settings screen.

Step 8. Select your Gmail account from the left side of the Account Settings screen. Step 9. Select the outgoing Gmail server that you created in Step 5 from the Outgoing Server (SMTP) list as follows:

http://en.security.ngoinabox.org/book/export/html/167

19 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 26: Configuring Gmail to use the new outgoing server
Step 10. Select the Outgoing Server (SMTP) option on the left side of the Account Settings screen to activate the Outgoing Server (SMTP) Settings screen. Step 11. Click: to activate the SMTP Server screen, then check the SSL option as shown in Figure

25 above.
Step 12. Click: to return to the Account Settings screen.

Thunderbird will now send and receive email through a secure connection. Step 13. Select the Offline and Disk Space option in the sidebar.

Figure 27: The Offline & Disk Space Screen
Step 14. Check both options in the Offline section at the top-right corner of the window as shown in Figure 27. Step 15. Click: console. to complete the configuration of your Gmail account and return to the Thunderbird main

You are now ready to download your messages from Gmail.

Step 1. Click:

to display the Mail Server Password Required screen as follows:

http://en.security.ngoinabox.org/book/export/html/167

20 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 28: The Mail Server Password Required screen
Step 2. Enter your password and click: Any new email messages will now be downloaded from the email server to your computer.

Security Settings
Security in Thunderbird generally refers to protecting your computer from malicious email messages. Some of them may just be spam, others may contain viruses and spyware. There are several options that need to be switched on and configured in Thunderbird in order to strengthen its security. It is crucial that you also have anti-malware and firewall software installed. Please refer to How-to Booklet chapter 1. Protecting your Computer from Viruses, Malware and Hackers for more information about tools such as Avast, Comodo Firewall and Spybot. 3.1 How to Disable the Preview Pane in Thunderbird The standard Thunderbird console is divided into three areas: The left side displays the different folders for your email accounts, the right side shows a list of received messages, and the bottom pane displays a preview of the selected email message. The preview comes up automatically as soon as a message has been selected. If that email contains any malicious code, then this message pane could activate it. To avoid this, you should disable this option by performing the following step: Step 1. Select View > Layout and click the Message Pane option to disable it as follows:

Figure 29: Disabling the Message Pane
The Message Pane will disappear, and you must double-click an email message to read its contents. If an email message looks suspicious (perhaps because it has an unexpected or irrelevant subject title or an unknown sender) you now have the option of deleting it without having to preview its content. 3.2 How to Disable the HTML Feature in Thunderbird

http://en.security.ngoinabox.org/book/export/html/167

21 of 43

Thunderbird - secure email client

06/03/2009 01:31

Thunderbird has the ability to create and display email using the same language that is used for web pages, HyperText Markup Language (HTML). This lets you send and receive messages that include images, fonts, colours and other formatting features. If you leave HTML formatting enabled in Thunderbird however, malicious emails can expose you to some of the same threats posed by web pages. To disable HTML formatting feature, perform the following steps: Select View > Message Body As > Plain Text as follows:

Figure 30: Disabling the HTML option
3.3 How to Set Privacy Options Thunderbird has a special settings screen in which the majority of the privacy and security options are configured. Step 1. Select Tools > Options

Step 2. Click:

http://en.security.ngoinabox.org/book/export/html/167

22 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 31: The Thunderbird Privacy Settings window
Step 3. Check the relevant options in the Junk tab as shown in Figure 31 if you want Thunderbird to delete email that you have determined to be junk mail. Additional junk mail settings are described later on in this section. Step 4. Click the Email Scams tab. Email scams, also referred to as phishing emails, usually try to make you click on a link that is embedded within the email. Frequently, this link directs your browser to a web site that will attempt to infect your computer with a virus. In other cases, the link will take you to a website that appears to be legitimate, in the hopes that you will enter a valid username and password, which can then be used or sold by the person or people that created the malicious site. Thunderbird can help to identify and warn you about emails like this. Additional tools that can help prevent infection from malicious websites are described in the Other Useful Mozilla Add-Ons section of the Firefox chapter. Step 5. Check the Tell me if the message I'm reading is a suspected email scam option to enable this feature as follows:

Figure 32: The E-mail Scams tab
Step 6. Click the Anti-Virus tab. This option lets your anti-virus software scan and isolate individual messages as they arrive. Without this setting enabled, it is possible that your entire Inbox folder could be 'quarantined' if you receive an infected message. Obviously, this assumes that you have a functioning anti-virus program installed. Please refer to Avast guide for more information on how to install and configure anti-virus software. Step 7. Check the Allow anti-virus clients to quarantine individual incoming messages option to enable it as follows:

http://en.security.ngoinabox.org/book/export/html/167

23 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 33: The Anti-Virus tab
Step 8. Click the Passwords tab. Every email account that is registered in Thunderbird requires a password to send and receive email. If you have several accounts, repeatedly entering the same passwords can become an annoying task. You can configure Thunderbird to remember these passwords for you; after that, all you will need is to set a Master Password that will encrypt and protect the other passwords. Step 9. Check the Use a master password to encrypt stored passwords option to enable it as follows:

Figure 34: The Passwords tab
Step 10. Click: Step 11. Enter your Master Password twice in the text fields as follows:

Figure 35: The Change Master Password screen
Step 12. Click: Step 13. Click: to return to the Options window. to return to the Thunderbird main console.

http://en.security.ngoinabox.org/book/export/html/167

24 of 43

Thunderbird - secure email client

06/03/2009 01:31

Now you can set Thunderbird to save your email account passwords. The next time you see a window prompting you for your password, enter that password, and then check the Use Password Manager to remember this password option as follows:

Figure 36: The Mail Server Password Required screen
You will then be prompted to enter your master password. Step 14. Enter your master password and click OK as follows:

Figure 37: The Master Password screen
Now your email account password is encrypted and stored in Thunderbird and you do not need to enter it again. You will be prompted for your master password each time Thunderbird starts up. This feature is very useful if you have more than one email account in Thunderbird. 3.4 How to Enable the Junk Mail Filters Thunderbird has two built-in junk mail filters that can attempt to determine which of your incoming messages are 'spam.' By default, these filters are disabled, so you must change the necessary settings if you wish to use them. Even when they are enabled, you will continue to receive junk mail, but Thunderbird will automatically sort them into the Junk folder. Step 1. Select Tools > Account Settings Step 2. Select the Junk Settings option in the sidebar Step 3. Check all four options as follows:

http://en.security.ngoinabox.org/book/export/html/167

25 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 38: The Thunderbird Junk Settings screen
Step 4. Select the SpamAssassin option after Trust junk mail headers set by: as shown in Figure 38. RiseUp's email servers flag junk mail with SpamAssassin headers, so this setting will be helpful if you are using Thunderbird with a RiseUp account. If you are using Gmail however, it will have no effect.

How to Use Enigmail with Thunderbird
Enigmail is a Thunderbird add-on that allows you to increase the privacy of your email communication through the use of public key encryption. This method of encryption lets you send confidential emails to any correspondent who has sent you their public key . Only the owner of the private key that corresponds to that public key will be able to read the contents of your messages. Similarly, if you give a copy of your own public key to your email contacts and keep the corresponding private key secret, only you will be able to read encrypted messages from those contacts. Enigmail also allows you to attach digital signatures to your messages. Digital signatures help to prevent other people from sending emails that appear to have come from you. Public key encryption lets you use your own private key to digitally sign messages to anyone who has a copy of your public key. Similarly, if you have a correspondent's public key, you can verify the signatures that she has created using her private key. The following sections will explain how to: 1. 2. 3. 4. 5. Install Enigmail and GnuPG; Create a key pair, which includes your public and private keys; Exchange and validate public keys; Send and receive encrypted email; and Create and verify digital signatures.

http://en.security.ngoinabox.org/book/export/html/167

26 of 43

Thunderbird - secure email client

06/03/2009 01:31

4.1 How to Install Enigmail and GnuPG In order to use Enigmail, you must install both the Thunderbird add-on itself and the GNU Privacy Guard (GnuPG) encryption software. 4.1.1 How to Install Enigmail To download and install the Enigmail add-on for Thunderbird, perform the following steps: Step 1. Right-click this link to Enigmail and then choose the Save Link As... option to download the Enigmail add-on to your computer Desktop. Step 2. Open Thunderbird, then Select Tools > Add-ons as follows:

Figure 39: Activating the add-ons screen
This will activate the Add-ons screen as follows:

Figure 40: Thunderbird Add-ons screen
Step 3. Click: to activate the Select an extension to install screen:

http://en.security.ngoinabox.org/book/export/html/167

27 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 41: The Select an extension to install screen
Step 4. Select the 'enigmail-0.95.7-tb+sm.xpi' file on your Desktop and then click: Software Installation screen as follows: to activate the

Figure 42: The Software Installation screen
Step 5. Click: .

The add-on will be installed, after which you will be asked to restart Thunderbird in order for the changes to take effect.

http://en.security.ngoinabox.org/book/export/html/167

28 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 43. The Add-ons screen
Step 6. Click: to restart Thunderbird and complete the Enigmail installation.

If the installation was successful, you will notice the OpenPGP menu item appear in Thunderbird after it restarts, as follows:

Figure 44: The OpenPGP menu item
4.1.2 How to Install GnuPG To install GnuPG, you should perform the following steps: Step 1. Run the GNU Privacy Guard installer and follow the instructions. Step 2. In the Choose Components screen, you may leave all items checked, as follows:

http://en.security.ngoinabox.org/book/export/html/167

29 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 45: The Choose Components screen of the GNU Privacy Guard installer
Step 3. Continue following the instructions until the installation process is complete. You have now successfully installed the GnuPG encryption software used by Enigmail. 4.1.3 How to Confirm that Enigmail and GnuPG are Working Step 1. Select OpenPGP > Preferences to display the OpenPGP Preferences screen as follows:

Figure 46: The OpenPGP Preferences screen
You should notice the statement: GnuPG was found in... If the GnuGP program was not installed properly or is located in a different directory from the one expected by Enigmail, the following error message will appear:

http://en.security.ngoinabox.org/book/export/html/167

30 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 47: OpenPGP Alert error message
Note: In this instance, you may need to check the Override with option and manually select the location of the gpg.exe file on your computer. Step 2. Click: to return to the Thunderbird main console.

4.2 How to configure Enigmail Once you have confirmed that Enigmail and GnuPG are working properly, you can configure one or more of your email accounts to use Enigmail and generate one or more key pairs. 4.2.1 How to Enable Enigmail for Your Email account To enable Enigmail for use with a specific email account, perform the following steps: Step 1. Select Tools > Account Settings Step 2. Select the OpenPGP Security menu item in the sidebar as follows:

http://en.security.ngoinabox.org/book/export/html/167

31 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 48: The Account Settings - OpenPGP Security screen
Step 3. Check the Enable OpenPGP support option and select the Use email address of this identity to identify OpenPGP key option as shown in Figure 48 Step 4. Click: to return to the Thunderbird main console.

4.2.2 How to Create a Key Pair for Your Email account Step 1. Select OpenPGP > Key Management to open the Enigmail Key Management screen. If you are using this tool for the first time, it will activate a wizard that can help you create your Enigmail key pair. If the wizard does not automatically start, you can simply follow the instructions in section 4.2.3 How to Create Additional Key Pairs below. Step 2. Select the Yes, I would like the wizard to get me started option, and click Next as follows:

Figure 49: The OpenPGP Setup Wizard - Welcome screen
Step 3. Select the Yes, I want to sign all of my emails option and click Next on the Signing screen. Step 4. Select the No, I will create per-recipient rules for those who send me their public key option and click Next in the Encryption screen. Step 5. Select Yes and click Next in the Preferences screen. Step 6. Create a strong password, type it into the Passphrase boxes and click Next on the Create Key screen. You can learn more about choosing a strong password from Chapter 3: How to Create and Maintain Good Passwords in the How-to Booklet. You can learn how to store your password securely, as well as how to generate a random password from the KeePass Guide. Step 7. Click Next in the Summary section to confirm your settings. Step 8. Wait until Enigmail has created your key pair as follows:

http://en.security.ngoinabox.org/book/export/html/167

32 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 50: The OpenPGP Setup Wizard - Key Creation screen
Step 9. Click Yes to create the revocation certificate as follows:

Figure 51: The OpenPGP Revocation Certificate confirmation screen
Step 10. Choose a secure location for the certificate and provide a passphrase for your newly created key pair as follows:

Figure 52: OpenPGP passphrase screen
Step 11. Click OK to finish creating the revocation certificate.

http://en.security.ngoinabox.org/book/export/html/167

33 of 43

Thunderbird - secure email client

06/03/2009 01:31

Note: You will only need to use your revocation certificate if you feel that someone has gained access to your private key. If that happens, you simply send the certificate to anyone that has been given a copy of your public key. Keep in mind that you might need to do this if your computer is lost, stolen or confiscated. Its advisable to keep a copy of your revocation certificate in several places (for example, on a removable media drive), as well as on the computer itself. Step 12. Click Finish on the last Thank you screen of the wizard. Now you should be able to view your newly created key displayed in the Key Management screen as follows:

Figure 53: Enigmail's OpenPGP Key Management screen
Important: It is very important that you make a secure backup of your key and revocation certificate. See Chapter 5: How to Recover from Information Loss in the How-to Booklet for more details on how to make a secure backup. 4.2.3 How to Create Additional Key Pairs Follow the steps below if you want to create an additional key pair for one of your other email accounts. It is good practice to have a separate key pair for each email account. Step 1. Select OpenPGP > Key Management Step 2. Select Generate > New Key Pair from the Key Management screen as follows:

Figure 54: Generating a new key pair using Enigmail
Step 3. Select the Account / User ID you want to use, create a strong password to protect your private key and then type it into the Passphrase text fields in the Generate OpenPGP Key screen as follows: Step 4. Click the Generate key button to activate the following screen:

http://en.security.ngoinabox.org/book/export/html/167

34 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 55: The Generate OpenPGP Key screen
Step 5. Your key will be created, after which you will be prompted to generate a revocation certificate by following the same procedure as before. 4.3 How to Exchange Public Keys Before you can begin sending encrypted email messages to one another, you and your email contacts must exchange public keys. You must also confirm the validity of any key you accept by confirming that it really belongs to its purported sender. 4.3.1 How to Send a Public Key using Enigmail To send a public key using Enigmail, perform the following steps:

Step 1. Open Thunderbird and click:

to compose a new message.

Step 2. Select OpenPGP > Attach My Public Key to attach your public key to the current email message as follows:

http://en.security.ngoinabox.org/book/export/html/167

35 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 56: Attaching your public key to a message
You will notice that a file called pgpkeys.asc appears in the Attachments: window Step 3. Compose and then send your message. You have now successfully sent your public key to your correspondent. To complete the exchange, she will need to import it and reply with an email containing her own public key. 4.3.2 How to Receive a Public key using Enigmail You and your correspondent will perform the same steps when importing each other's public keys. Step 1. Select and open the email containing your correspondent's public key.

Step 2. Click: Enigmail will automatically scan the content of the received message for any encrypted data. When it detects that the message contains a public key, it will notify you and ask if you wish to import the key as follows:

Figure 57: Importing a public key from an email message
Step 3. Click: to import the key.

If the public key importation is successful, you will be notified that the key has been added to your collection as follows:

http://en.security.ngoinabox.org/book/export/html/167

36 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 58: Public key successfully imported
To confirm that you have received your correspondent's public key, you can performing the following steps at any time: Step 1. Select OpenPGP > Key Management to display the OpenPGP Key Management screen as follows:

Figure 59: The OpenPGP Key Management screen
Step 2. Confirm that any recently-imported keys are present in this list. 4.3.3 How to Validate Imported Keys Finally, you must verify that the imported key truly belongs to the person who purportedly sent it, then confirm its 'validity.' This is an important step that both you and your email contacts should follow for each public key that you receive. Step 1. Contact your correspondent through some means of communication other than email. You can use a telephone, text messages, Voice over Internet Protocol (VOIP) or any other method, but you must be absolutely certain that you are really talking to the right person. As a result, telephone conversations and face-to-face meetings work well if they are convenient and if they can be arranged safely. Step 2. Both you and your correspondent should determine the 'fingerprints' of the public keys that you have exchanged. A fingerprint is a unique series of numbers and letters that identifies each key. You can use Enigmail's Key Management screen to view the fingerprint of key pairs you have created and public keys you have imported. To do this, right-click on a particular key and select the Key Properties option as follows:

http://en.security.ngoinabox.org/book/export/html/167

37 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 60: Viewing the public key properties, including its fingerprint.
Step 3. This will activate the Key Properties screen, which displays the public key fingerprint as follows:

Figure 61: Enigmail's Key Properties screen
Your correspondent should repeat these steps. Confirm with each other that the fingerprint of the key each of you has received matches the sender's original. If they don't match, exchange your public keys again and repeat the validation process. If they do match, use Enigmail to sign your correspondent's public key. This will confirm that you have checked and consider the key 'valid'. The fingerprint itself is not a secret and can be recorded for later verification at your convenience. To sign a properly validated public key, you can perform the following steps:

http://en.security.ngoinabox.org/book/export/html/167

38 of 43

Thunderbird - secure email client

06/03/2009 01:31

Step 1. Click OK to return to the Key Management screen. Step 2. Right-click your correspondent's public key and select Sign Key from the menu to activate the Sign Key screen as follows:

Figure 62: The Sign Key screen
Step 3. Click OK and enter your encryption passphrase when prompted. Step 4. Locate your correspondent's public key in the Key Management screen, to confirm that the Key Validity column displays trusted as follows:

Figure 63: A validated public key marked as trusted
You have now successfully validated your correspondent's public key. He or she should follow the same steps for your public key. 4.3.4 How to Manage Your Key Pairs You can perform additional tasks by right-clicking your key pair in the Key Management screen as shown in Figure 60 above. In addition to the Key Properties option, other important key-management tasks include:

Change Passphrase - allows you to change the passphrase protecting your key pair. Manage User IDs - allows you to associate more than one email address with a single key pair. Generate & Save Revocation Certificate - allows you to generate a new revocation certificate if you have
lost the one you created earlier. 4.4 How to Encrypt and Decrypt a Message Once both you and your correspondent have successfully imported and validated one another's public keys, you are ready to begin sending encrypted messages and decrypting received ones.

http://en.security.ngoinabox.org/book/export/html/167

39 of 43

Thunderbird - secure email client

06/03/2009 01:31

4.4.1 How to Encrypt a Message To encrypt an email to your correspondent, perform the following steps: Step 1. Open your Thunderbird e-mail account and click the Write button to write your message.

Step 2. Click:

to display the OpenPGP Encryption window as follows:

Figure 64: The OpenPGP Encryption Window
Step 3. Check the Sign Message and Encrypt Message options as shown in Figure 64: The OpenPGP Preferences screen. Step 4. Click: You may receive a warning that Enigmail can not encrypt or sign HTML messages. You can fix this by configuring Thunderbird to create all new messages using only 'plain text' formatting. To do so, select Tools > Account Settings from the Thunderbird menu and find the account for which you have enabled Enigmail. Click on the Composition & Addressing option, deselect the Compose messages in HTML format checkbox and click OK.

Step 5. Click: If your message includes any attachments, Enigmail lets you select how those attachments should be processed from the following settings screen:

Figure 65: The Enigmail attachment options screen
Step 6. Check: Encrypt each attachment separately and send the message using inline PGP as shown in Figure 65. Prior to sending your message, Enigmail will encrypt it. If you have chosen to sign the message as well, as described above, Enigmail will ask you to enter your private key passphrase as follows:
http://en.security.ngoinabox.org/book/export/html/167 40 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 66: The Enigmail private key passphrase screen
Step 7: Enter your passphrase and click OK. Your message is now encrypted, signed and sent to the recipient. You may be prompted to enter your email account password as well. Important: Enigmail does not encrypt the message heading or subject title bar. Do not include sensitive information in the subject line, as it will not be confidential. 4.4.2 How to Decrypt a Message When you receive and open an encrypted message, Enigmail will automatically attempt to decrypt it. You will be prompted to enter your passphrase as follows:

Figure 67: The GnuPG private key passphrase screen
After you have entered your private key passphrase, the message is decrypted and displayed as follows:

http://en.security.ngoinabox.org/book/export/html/167

41 of 43

Thunderbird - secure email client

06/03/2009 01:31

Figure 68: Viewing a decrypted message
You have now successfully decrypted this message. By repeating the steps described in section 4.4 How to Encrypt and Decrypt a Message each time you and your correspondent exchange messages, you can maintain a private, authenticated channel of communication, regardless of who might be attempting to monitor your email exchanges.

FAQ and Review
Claudia and Pablo have configured Thunderbird to send and receive email through their RiseUp accounts. After checking their email, they are pleased that they can continue reading messages even if they disconnect from the Internet. Shortly thereafter, Claudia and Pablo each installed GnuPG and Enigmail, created their respective key pairs, exchanged public keys and validated one another's keys by comparing fingerprints. Although it has taken them some time to understand the complexities of public key encryption, they can already see the benefits of having an encrypted and secure communication channel. As with all new software, however, they do have some questions. Q: What happens if I just install Enigmail and not GnuPG? A: That's simple, really. Enigmail just won't work. After all, it's the GnuPG software that provides the encryption engine that Enigmail uses. Q: How many email accounts can I set up in Thunderbird? A: As many as you like! Thunderbird is an email manager and can easily handle 20 or more email accounts! Q: My friend has a Gmail account. Should I convince him to install Thunderbird and Enigmail? A: That would be ideal. Just make sure he configures all of his security settings in exactly the same way as you did. Then the two of you will have an extremely effective way of communicating in privacy and safety! Q: Remind me one more time, which parts of an email message does Enigmail encrypt? A: Enigmail encrypts the message's content. It doesn't encrypt the subject line of the message, your email address or the name you chose to associate with that email account. So, if you're trying to send a confidential message, make sure the subject line doesn't give you away! And, if you want to stay anonymous, avoid using your real name when you create your email account.
http://en.security.ngoinabox.org/book/export/html/167 42 of 43

Thunderbird - secure email client

06/03/2009 01:31

Q: I still don't understand the purpose of digitally signing my messages. A: A digital signature proves that you're the real sender of a particular message and that the message hasn't been tampered with on its way to your intended recipient. It's a bit like the wax seal on an envelope which contains a very important letter. 5.1 Questions to test yourself with after completing this chapter 1. What are the differences between accessing your email through an Internet browser and a program like Thunderbird? 2. How can you access your email securely using Thunderbird? 3. How can you securely store your email account passwords in Thunderbird? 4. Before you can send an encrypted message to a colleague of yours, what software do you need to install and configure? 5. How can you protect yourself from email containing malicious content?

http://en.security.ngoinabox.org/book/export/html/167

43 of 43

Sign up to vote on this title
UsefulNot useful